In the past, the term “credential” was used solely to refer to a
dedicated physical entity that intertwined an individual’s identity with
a specific entitlement, for example a passport or driver’s license.
We’ve all witnessed the progression over the last decade or so,
however, towards trusted identities that are separated out and used to
access many different entitlements.Such trusted identities are typically
manifested either as a secured version of the physical credential – the
smart card – or as an online digital “persona.” To a degree, these
techniques traditionally supported either end of the levels of
authentication range.
However, the definition and certification of trust frameworks and the
desire of users to use their own smart phones to access online and
physical services has led to a much broader range of form factors that
are being considered to support trusted identities. We believe that this
trend will continue throughout 2012 and that the evolution of form
factors will re-shape what we have traditionally defined as a
“credential.”
In support of this, trust frameworks are
helping to drive a clearer separation of the functions of identity
proofing, identifier authentication and authorization. This provides a
structure that enables various identity providers to supply certified
components of identity proofing or identifier authentication, as
referenced in the recently-updated version of NIST Electronic
Authentication Guideline .
In addition, trust frameworks also enable service providers to
“consume” a range of certified digital identities to support their
required degree of identity assurance - in accordance with the assessed
risk level. In this light, a PIV card is underpinned by the identity
proofing provided by the NACI process, along with the authentication
techniques specified in FIPS 201-1, up to and including biometric
authentication. This combination of strong identifier authentication,
and well-defined identity proofing process, supports the production of
the very high assurance credential for this program. The smart card
provides the secure credential to bind together a user’s identifier with
their “proofed” identity.
Thus, it is clear that the three salient attributes of the PIV card
are: the underlying identity proofing process; the use of strong
authentication; and the secure binding inside the smart card of the user
and their identifier by which they are known. The projection of these
three factors, along with implicit cryptographic data protection and
transport mechanisms, onto many diverse form factors such as smart
phones, will enable users to access services using a broad variety of
authentication mechanisms, in some cases using derived credentials1.
Indeed, as the global use of smart phones in personal, corporate,
citizen and defense environments expands, it is critical to focus on
these attributes to ensure that they are certified to fulfill a
specified degree of identity assurance, rather than on the particular
form factor used. This will enable users and service providers alike to
use or accept, respectively, a wide range of user credentials, and will
narrow the gap in terms of the levels of authentication that the various
form factors can support.
We envisage that 2012 will see this continued certification of
identity components and, therefore, users will be able to interact with
service providers in a variety of ways. This will improve user
convenience, by providing the ability to use already-available devices
such as smart phones, in some cases with built-in biometric
authentication capability. By the end of the year, this combination of
strong authentication, along with the appropriate identity proofing,
will allow such devices to be used in high assurance environments, and
thereby serve as trusted credentials.
By Colin Soutar, Director of Identity and Privacy Assurance, CSC
Source: Secure ID News